Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2020-11-02 09:40:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.3463 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Mon Nov 2 09:40:20 2020 rev:3 rq:844834 version:2.150.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2020-10-20 16:03:29.521813228 +0200
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.3463/container-selinux.changes
2020-11-02 09:40:27.173613351 +0100
@@ -1,0 +2,7 @@
+Thu Oct 29 07:52:21 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- Update to version 2.150.0
+ - Add additional allow rules for kvm based containers using
+ virtiofsd.
+
+-------------------------------------------------------------------
Old:
----
container-selinux-2.145.0.tar.gz
New:
----
container-selinux-2.150.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.lpOhWS/_old 2020-11-02 09:40:28.469614595 +0100
+++ /var/tmp/diff_new_pack.lpOhWS/_new 2020-11-02 09:40:28.469614595 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.145.0
+Version: 2.150.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ container-selinux-2.145.0.tar.gz -> container-selinux-2.150.0.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.145.0/NOTICE
new/container-selinux-2.150.0/NOTICE
--- old/container-selinux-2.145.0/NOTICE 1970-01-01 01:00:00.000000000
+0100
+++ new/container-selinux-2.150.0/NOTICE 2020-10-22 21:07:11.000000000
+0200
@@ -0,0 +1,15 @@
+Copyright (c) 2015, 2020, Free Software Foundation, Inc.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.145.0/container.te
new/container-selinux-2.150.0/container.te
--- old/container-selinux-2.145.0/container.te 2020-09-10 17:29:43.000000000
+0200
+++ new/container-selinux-2.150.0/container.te 2020-10-22 21:07:11.000000000
+0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.145.0)
+policy_module(container, 2.150.0)
gen_require(`
class passwd rootok;
')
@@ -104,6 +104,7 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(container_runtime_t,
container_runtime_exec_t, s0 - mls_systemhigh)
')
+mls_trusted_object(container_runtime_t)
########################################
@@ -115,6 +116,7 @@
allow container_runtime_domain self:process ~setcurrent;
allow container_runtime_domain self:passwd rootok;
allow container_runtime_domain self:fd use;
+allow container_runtime_domain self:dir mounton;
allow container_runtime_domain self:file mounton;
allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
@@ -147,13 +149,17 @@
corenet_tcp_connect_all_ports(container_runtime_domain)
corenet_sctp_bind_all_ports(container_net_domain)
corenet_sctp_connect_all_ports(container_net_domain)
+corenet_rw_tun_tap_dev(container_runtime_domain)
container_auth_stream_connect(container_runtime_domain)
+manage_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
+manage_lnk_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
manage_blk_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
+allow container_runtime_domain container_domain:key manage_key_perms;
manage_sock_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
-allow container_runtime_domain container_file_t:dir {relabelfrom relabelto
execmod};
-allow container_runtime_domain container_file_t:chr_file mmap_file_perms;
+allow container_runtime_domain container_file_t:dir_file_class_set
{relabelfrom relabelto execmod};
+allow container_runtime_domain container_file_t:dir_file_class_set
mmap_file_perms;
manage_files_pattern(container_runtime_domain, container_home_t,
container_home_t)
manage_dirs_pattern(container_runtime_domain, container_home_t,
container_home_t)
@@ -181,7 +187,6 @@
manage_files_pattern(container_runtime_domain, container_runtime_tmp_t,
container_runtime_tmp_t)
manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t,
container_runtime_tmp_t)
manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t,
container_runtime_tmp_t)
-files_tmp_filetrans(container_runtime_domain, container_runtime_tmp_t, { dir
file lnk_file })
manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t,
container_runtime_tmpfs_t)
manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t,
container_runtime_tmpfs_t)
@@ -225,6 +230,7 @@
manage_sock_files_pattern(container_runtime_domain, container_var_run_t,
container_var_run_t)
manage_lnk_files_pattern(container_runtime_domain, container_var_run_t,
container_var_run_t)
files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file
lnk_file sock_file })
+files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file
lnk_file sock_file })
allow container_runtime_domain container_devpts_t:chr_file { relabelfrom
rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(container_runtime_domain, container_devpts_t)
@@ -237,6 +243,9 @@
kernel_setsched(container_runtime_domain)
kernel_rw_all_sysctls(container_runtime_domain)
+domain_obj_id_change_exemption(container_runtime_t)
+domain_subj_id_change_exemption(container_runtime_t)
+domain_role_change_exemption(container_runtime_t)
domain_use_interactive_fds(container_runtime_domain)
domain_dontaudit_read_all_domains_state(container_runtime_domain)
domain_sigchld_all_domains(container_runtime_domain)
@@ -244,6 +253,13 @@
domain_read_all_domains_state(container_runtime_domain)
domain_getattr_all_domains(container_runtime_domain)
+userdom_map_tmp_files(container_runtime_domain)
+
+optional_policy(`
+ gnome_map_generic_data_home_files(container_runtime_domain)
+ allow container_runtime_domain data_home_t:dir { relabelfrom relabelto
};
+')
+
gen_require(`
attribute domain;
')
@@ -382,6 +398,7 @@
kernel_dontaudit_setattr_proc_dirs(container_runtime_domain)
kernel_dontaudit_write_usermodehelper_state(container_runtime_domain)
+dev_setattr_null_dev(container_runtime_t)
dev_getattr_all(container_runtime_domain)
dev_getattr_sysfs_fs(container_runtime_domain)
dev_read_rand(container_runtime_domain)
@@ -413,14 +430,13 @@
fs_relabelfrom_xattr_fs(container_runtime_domain)
fs_relabelfrom_tmpfs(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
-fs_list_hugetlbfs(container_runtime_domain)
fs_getattr_all_fs(container_runtime_domain)
fs_list_inotifyfs(container_runtime_domain)
fs_rw_inherited_tmpfs_files(container_runtime_domain)
-fs_read_hugetlbfs_files(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_search_tmpfs(container_runtime_domain)
-fs_rw_hugetlbfs_files(container_runtime_domain)
+fs_list_hugetlbfs(container_runtime_domain)
+fs_manage_hugetlbfs_files(container_runtime_domain)
term_use_generic_ptys(container_runtime_domain)
@@ -444,6 +460,7 @@
userdom_relabel_user_tmp_dirs(container_runtime_domain)
userdom_use_inherited_user_terminals(container_runtime_domain)
userdom_use_user_ptys(container_runtime_domain)
+userdom_connectto_stream(container_runtime_domain)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(container_runtime_domain)
@@ -482,6 +499,8 @@
fs_mount_fusefs(container_runtime_domain)
fs_unmount_fusefs(container_runtime_domain)
fs_exec_fusefs_files(container_runtime_domain)
+storage_rw_fuse(container_runtime_domain)
+
optional_policy(`
files_search_all(container_domain)
@@ -507,6 +526,7 @@
optional_policy(`
dbus_system_bus_client(container_runtime_domain)
+ dbus_session_bus_client(container_runtime_domain)
init_dbus_chat(container_runtime_domain)
init_start_transient_unit(container_runtime_domain)
@@ -541,6 +561,13 @@
')
optional_policy(`
+ gen_require(`
+ role staff_r;
+ ')
+ role_transition staff_r container_runtime_exec_t system_r;
+')
+
+optional_policy(`
unconfined_stub_role()
unconfined_domain(container_runtime_t)
unconfined_run_to(container_runtime_t, container_runtime_exec_t)
@@ -587,6 +614,8 @@
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
+domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
+
allow container_runtime_domain spc_t:process2 nnp_transition;
admin_pattern(spc_t, kubernetes_file_t)
@@ -725,7 +754,7 @@
allow container_domain self:shm create_shm_perms;
allow container_domain self:socket create_socket_perms;
allow container_domain self:tcp_socket create_socket_perms;
-allow container_domain self:tun_socket { create_socket_perms relabelfrom
relabelto };
+allow container_domain self:tun_socket { create_socket_perms relabelfrom
relabelto attach_queue };
allow container_domain self:udp_socket create_socket_perms;
allow container_domain self:unix_dgram_socket create_socket_perms;
allow container_domain self:unix_stream_socket create_stream_socket_perms;
@@ -794,10 +823,10 @@
fs_getattr_all_fs(container_domain)
fs_list_inotifyfs(container_domain)
fs_rw_inherited_tmpfs_files(container_domain)
-fs_read_hugetlbfs_files(container_domain)
fs_read_tmpfs_symlinks(container_domain)
fs_search_tmpfs(container_domain)
-fs_rw_hugetlbfs_files(container_domain)
+fs_list_hugetlbfs(container_domain)
+fs_manage_hugetlbfs_files(container_domain)
fs_exec_hugetlbfs_files(container_domain)
fs_dontaudit_getattr_all_dirs(container_domain)
fs_dontaudit_getattr_all_files(container_domain)
@@ -807,6 +836,7 @@
userdom_use_user_ptys(container_domain)
userdom_rw_inherited_user_pipes(container_domain)
+domain_user_exemption_target(container_t)
domain_dontaudit_link_all_domains_keyrings(container_domain)
domain_dontaudit_search_all_domains_keyrings(container_domain)
@@ -1119,6 +1149,7 @@
container_stream_connect(container_kvm_t)
dev_rw_inherited_vhost(container_kvm_t)
+dev_rw_vfio_dev(container_kvm_t)
corenet_rw_inherited_tun_tap_dev(container_kvm_t)
corecmd_exec_shell(container_kvm_t)
@@ -1128,9 +1159,12 @@
# virtiofs causes these AVC messages.
kernel_mount_proc(container_kvm_t)
kernel_mounton_proc(container_kvm_t)
+kernel_unmount_proc(container_kvm_t)
+kernel_dgram_send(container_kvm_t)
files_mounton_rootfs(container_kvm_t)
auth_read_passwd(container_kvm_t)
+logging_send_syslog_msg(container_kvm_t)
optional_policy(`
qemu_entry_type(container_kvm_t)
